In a distributed denial of service attack, or DDOS, a large number of computers send data to a target computer with the intent of saturating its network links and/or overloading the server, thereby “denying service” to actual users of that server. In this case Anonymous, a group of online vigilantes, have launched DDOS against MasterCard, PayPal, and other companies that have taken anti-Wikileaks steps that they (and I) don’t approve of.

Evgeny Morozov points me to this post, which reports that a German court was apparently persuaded that DDOS attacks are a form of civil disobedience, like a sit-in. This comparison strikes me as not just wrong but kind of ridiculous.

The Internet is a collaborative network built on strong implicit norms of trust. There’s no global governance body or formal enforcement mechanisms for many of the Internet’s norms, but things work pretty well because most people behave responsibly. This responsible behavior comes in two parts. Ordinary users obey the norms without even knowing about them because they are baked into the hardware and software we all use. For example, all your life you’ve been observing the TCP backoff norm, probably without knowing about it, because your computer’s networking stack has been programmed to follow it.

Then there’s a worldwide community of engineers and sysadmins who collaborate to track down problems and cut off the small minority of people who abuse the Internet’s norms. The decentralized nature of the Internet means that no single administrator has all that much power, so their ability to respond to an attack often depends on cooperation from the systems administrators who run the network from which the attack originates. These folks are fighting a continuous, largely invisible, battle to keep the Internet running smoothly. The fact that most people never think about them is a testament to how well they do their job.

DDOS attacks work by exploiting the Internet’s open architecture and flouting its norms. Most computers on the Internet are provisioned with significantly more bandwidth than they’re expected to be using at any given moment; this allows us to have fast downloads when we need them, while leaving the extra capacity available for others to use when we don’t need it. Similarly, servers depend on relatively good behavior from client computers. Major Internet protocols like TCP/IP and HTTP don’t have any formal mechanism for limiting the amount of server capacity used by any given client, they simply trust that the vast majority of clients won’t behave maliciously. Systems administrators deal with the small minority that do behave maliciously on a case-by-case basis.

I’d be willing to bet that at this very moment, a small army of sysadmins at Anonymous’s various targets, and their ISPs, are working around the clock to respond to Anonymous’s attacks. They’re probably not getting paid overtime. These folks likely had no influence over their superiors’ decisions with respect to Wikileaks. And indeed, given the pro-civil-liberties slant of geeks in general, I bet a lot of them are themselves Wikileaks supporters. Some of them may even be exerting what small influence they have inside their respective companies to stand up to the government’s attacks on Wikileaks.

DDOS attacks take advantage of, and deplete, the Internet’s reservoir of trust. They are something like a kid who lives in a small town where no one locks their doors going into his neighbors’ houses and engaging in petty vandalism. The cost of his behavior isn’t so much cleaning up the vandalism as the fact that if more than a handful of people behaved that way everyone in town would be forced to put locks on their doors. Likewise, the damage of a DDOS attack isn’t (just) that the target website goes down for a few hours, it’s that sysadmins around the world are forced to build infrastructure to combat future DDOS attacks.

The comparison to sit-ins is particularly absurd because the whole point of a sit-in is its PR value. You’re trying to call the public’s attention to a business’s misbehavior and motivate other customers of that entity to pressure the business to change its behavior. You do this by being unfailingly polite and law-abiding (aside from the trespass of the sit-in itself), and by being willing to spend some time in prison to demonstrate your sincerity and respect for the law. In contrast, the people who are prevented from using MasterCard’s website may not even realize that Anonymous is responsible, and to the extent they do find out it’s through media accounts that are (justifiably) universally negative. In addition to all the other problems with what they’re doing, it’s a terrible PR strategy that generates sympathy for Anonymous’s targets and reinforces the public’s impression of Wikileaks as a rogue organization.

I suspect that most of the Anonymous participants simply don’t know any better. If this arrest is representative, the people involved are literal and metaphorical children, throwing high-tech temper tantrums without any real understanding of the consequences of their actions. These attacks are doing no serious damage to the nominal targets of the attacks and they create zero incentive for other corporate entities to change their behavior vis-a-vis Wikileaks. But they do significant and lasting damage to a variety of third parties. I don’t literally want them to “rot in prison,” but I’ll have zero sympathy if they’re caught and prosecuted.

Update: One final obvious point that I forgot to mention: while I don’t know the details of this particular attack, it’s relatively common for DDOS attacks to utilize botnets, a.k.a. networks of computers that have been remotely compromised and are being used without their owners’ knowledge or permission. Even if everything I wrote above is wrong, the use of botnets—for this or any other purpose—is flatly immoral and illegal, and no DDOS attack that utilizes them should be considered a legitimate form of political protest.

i would say that a large problem with the internet is people like you who hold forth on their blogs, lobbing around rhetorical hyperbole at the expense of facts of which they have only a passing knowledge of.

Not sure if you’re just trying to simplifying things for general understanding here, but there’s some weird understand of network infrastructure going on here and some outright mistakes.

Just a few of the major points:
“Major Internet protocols like TCP/IP and HTTP don’t have any formal mechanism for limiting the amount of server capacity used by any given client”
– Outright wrong. There are a number of ways to throttle/control//balance/shape traffic. Based on port, data type, application type, connections, half-connections, etc, etc. Which can be enforced client side, in transit infrastructure (such as routers or layer 3 switches), firewalls and server side. Local ISP’s do this as a pretty common practice across the board right now for certain traffic types (like bittorent) and during peak hours. It’s possible for any TCP/IP based connection and HTTP. The closest thing I can think of to this being right, is that it’s far more difficult and resource intensive for UTP in certain situations.

“I’d be willing to bet that at this very moment, a small army of sysadmins at Anonymous’s various targets, and their ISPs, are working around the clock to respond to Anonymous’s attacks. ”
– Severely doubt it. The impact on network performance/resources from attempting to monitor DDoS, would cause far more congestion along the connection that the attack itself would on the end ISP side. (So in that way, you could maybe then say there’s no viable means of identifying/controlling the traffic) Not to mention you’d need an extensive amount of cooperation between the ISP and target which is also unlikely. And there’d be no reason to implement a system to coordinate that (especially because of how rarely it would come into play). It’s far more economical to simply expand/configure the end server side appropriately (there are entire companies based on DDoS absorbing hosting) and ban IP ranges if it persists for any length of time.

As for building infrastructure to combat DDoS, there’s some of that already present and any host worth anything already has policies/practices in place to curb it. To start eliminating it… This I’m not entirely sure of, but I’d think you’d need to have a whole new system in place, don’t think it would be reliable enough with the current protocols. And almost certainly not worth the cost/efficiency knock.

Also, Anonymous is purported to be only voluntary, you download the LOIC (Low Orbit Ion Cannon) and basically willingly connect to what would be considered the botnet (Hivemind). There’s no real way to confirm that all machines involved are through that method though.

Actually, that part could easily be true =P I was a CCNP, on my way to CCIE, years in the field, up to management even… and I dropped the career, exactly because getting fairly paid was a nightmare and you got treated like garbage. I envied the programmers.

I understand that there are lots of techniques sysadmins can use to throttle misbehaving hosts. But none of these are formally part of the TCP/IP or HTTP protocols, and they require extra effort on the part of sysadmins. And I think you mean UDP, not UTP.

When I wrote that people are “working around the clock to respond to Anonymous’s attacks,” I meant precisely stuff like “expand/configure the end server side appropriately” and “ban IP ranges.” This kind of thing is annoying and labor-intensive.

I’m glad you clarified your earlier comment, though I still question your bottom line–‘zero sympathy if caught and prosecuted.’ Really? Even if the penalty is prison time? You think using the LOIC justifies prison time?

But this is secondary to my main critique, which is that I think you have far too narrow a view of legitimate non-violent protest. “You do this by being unfailingly polite and law-abiding (aside from the trespass of the sit-in itself), and by being willing to spend some time in prison to demonstrate your sincerity and respect for the law.” This is one tactic, yes, but it’s hardly the only one, and it’s not always the best; it depends on a lot of factors, some of which–e.g., how the public perceives it–are very hard to predict. As a moral matter, being non-violent is very important; being law-abiding, or even well-behaved, not at all.

Think about things like general strikes, or strikes that target particularly crucial infrastructure. These, too, impose huge costs on innocent third-parties, and the response by authorities is sometimes to “harden” the system in ways that are unfortunate for everybody. But I don’t think these tactics are clearly illegitimate; it depends on the objectives, the background conditions, the likelihood of success, various other things.

Hrm, that I guess is technically correct… but it seems a really strange way to phrase/view it then, especially in the practical sense. But, that would go to the need for a whole new system to make combating DDoS overall, viable. And yes, UDP, thanks for correcting the typo =)

Ah, understood then. My apologies, I took it in what I thought was the context of the two paragraphs above. I’ll say that’s especially true in Mastercard’s case then, from what was reported they’d setup their services and site in the same space, which is just crazy.

I think that a reasonable form for a decisional calculus in such a situation would be: “some of these organizations are bowing to what’s really fairly light US & allied gov. pressure, largely because they’re cowardly; the USG is limited in the sorts of genuine hard pressure it can exert, because WL isn’t actually breaking US law in significant ways. Hence, it’s not crazy to think that, for a plausibly achievable quanta of bother B, DDoS attacks could impose enough bother on some of the targets to equalize that put on them by the USG.” I think this calculus is probably wrong for most of the targets, perhaps all, but it’s not crazily wrong.

x.trapnel: Right, there are many kinds of legitimate resistance to unjust authority, and some of them are less law-abiding than others. I wasn’t intending to offer general principles for non-violent resistance to authority.

What I think makes it contemptible is the high costs to third parties relative to the target. What makes it unwise is (1) relatively low culpability of the target (of private parties relative to government), (2) extremely low probability of actually affecting the target’s opinion, and (3) horrible PR effects. I think you’re drastically underestimating how much more pressure the government can exert vis-a-vis a DDOS attack. Remember that only MasterCard’s website, not its payment system, is being taken down. The website is mostly a PR vehicle, and getting hit by an attack like generates more than enough public sympathy to compensate for the minor inconvenience MasterCard customers experience by not being able to get to the website for a few hours. So I doubt any MasterCard execs have lost a wink of sleep over this. In contrast, there is any number of subtle ways the federal government can hurt MasterCard, and they can credibly threaten to do so for years to come. So if MC’s decision is whether to anger the US government or Wikileaks, there’s just no comparison.

A welcome contribution to the discussion, but I’m with x.trapnel, or perhaps in parallel. You may be romanticizing the sit-in because in the U.S. it historically was for a (set of) very good cause(s) and generally prevailed. But at the time it was disturbing to many, and it imposed a lot of costs on innocent third parties. Think of who may have been inconvenienced in a typical university office: secretarial and administrative staff, non-protesting students who were trying to get things done, law enforcement personnel, etc. Inconveniencing all is kind of the point: “My problem is going to be everyone’s problem until my demands are met.”

Maybe civil disobedience is wrong unless it’s for a really important cause and it ultimately works. That, of course, begs at least two questions!…

I’ve been saying the same things about DDoS attacks since anonymous started their current tantrum, but I’m still struggling to come down definitely on the approving or disapproving side.

Cons: it hurts system administrators; it hurts normal people who desperately need to use credit cards that may actually sympathise with WikiLeaks; it hurts lots of small companies that are more ethical than the big corporates; it’s wrong of any group to take the law into their own hands; it is just morally repugnant, abuses trust, whatever.

But what on earth does one do with governments that listen only to corporates, not to people? Well, hurt the corporates, since they might then lobby government on behalf of the people. Governments ignore opinion polls, petitions, protest marches and sit-ins. Refusing to pay taxes gets one in prison and makes no difference anyway.

So while I kind-of disapproved while watching it all, I can’t remember any recent event in my life being as thurroughly rewarding as seeing PayPal, Mastercard and Visa go down. I’ll switch my Mastercard for an American Express after this, but that won’t cost them anywhere near as much as that one day on which their security code system failed. And people won’t ditch PayPal on mass, they are just too convenient.

Your point about the depletion of the network’s stock of trust is well taken. However, I do not think it is anonymous that is the really worrisome trust sink. Rather, I am concerned that supposedly neutral payment processors would so deplete that trust by cutting off a media outlet that has broken no laws. Perhaps, the proper response to such a flagrant violation of trust is for the network, in its distributed, voluntary contribution fashion, to cut off their access to the network to protect the stock of trust that remains from their predation.

Jim, I’m not a fan of sit-ins in general—there were some obnoxious ones over trivial issues on my campus when I was an undergrad. But if we’re talking about something like the Greensboro sit-in, I think there are at least three significant differences. One is that the ratio of damage to target/damage to third parties is a lot higher. I doubt MasterCard was hurt at all by the DDOS attacks once you factor in the PR value, and even ignoring that the short-term cost of having your website down for a few hours isn’t very high. In contrast, the costs of having your lunch counter occupied, and having your business receive polarizing press, can be pretty high.

The second difference is that the Greensboro kids were willing to show their faces. This is important from a PR perspective, and it’s also important because it imposes some discipline on the use of the tactic. The Anonymous participants do so from the comfort of their basements, and (barring prosecution) face no real costs for doing so.

Finally, in the Greensboro sit-in there was a direct relationship between the injustice being protested and the form of the protest. They were trying to provoke the police into enforcing the Jim Crow laws on them, as a way of illustrating the injustice of those laws. The Anonymous protests, in contrast, are just petty, retaliatory vandalism. It’s like TPing MasterCard’s corporate campus. It’s not tied in any specific way to the laws being protested.

And there are lots of ways people can (and many people are) supporting Wikileaks in productive ways. They can set up mirrors, donate money, boycott companies that cave, etc. These all do more to help the Wikileaks cause with much lower cost to innocent third parties.

I second Jim Harper’s comment. Your initial post seems to blur together two distinct issues: (1) the effectiveness of a particular form of civil disobedience (I agree with you here regarding the DDoS attacks), and (2) its legitimate claim to being a form of civil disobedience (a much more open question).

As Mr. Harper noted, you could argue that (2) may be in part dependent on (1), but that’s a much more difficult argument to make, and in any case, not one you were clearly making in your post.

Also, as a historical matter (though I am not a historian, and I welcome correction by the more knowledgeable), my understanding is that in addition to being highly disruptive to third parties, 60s era civil disobedience quite frequently drew a very negative media response, especially locally.

I think what is wrong is the first place that banks can cut off clients from their money and donations just because the client might do something illegal but without any court decision /fair trial. This makes it very hard or even impossible for organizations to operate.

That is what makes people angry and I understand that very well. What if your bank accounts where suddenly shot down because someone told them you might be doing something illegal?

And maybe not in your country, but overhere in The Netherlands “Anonymous” are all over the news, so now about everyone overhere who does not live under a rock, knows what they are doing and why.

Here’s another interesting historical case to consider: the Stonewall riots

The Stonewall riots are widely considered the defining moment in sparking the gay rights movement. Not only were these riots not “unfailingly polite and law-abiding,” but they were actually quite violent, so they’re probably not strictly an example of civil disobedience under most definitions. Nevertheless, they fit quite comfortably alongside sit-ins in the broader category of unlawful principled opposition to unjust or immoral government practices.

A few points:

1) Unlike lunch counter sit-ins, the Stonewall rioters were expressly trying to avoid being arrested for violating an unjust law. That’s what sparked the riots in the first place. So, I think it’s too simple to equate anonymity or unwillingness to voluntarily accept punishment with illegitimacy as a form of protest.

2) The main effect of the Stonewall riots was not to score a PR win with the general public, but to galvanize the gay community itself. Likewise, even if Visa and Mastercard holders are unfazed, the DDoS attacks could still be considered a success if they helped to spur the online community into more effective future actions in opposition to censorship.

Again, I think the DDoS attacks were probably counterproductive. I also think they were ethically dubious. I just think you’re drawing lines a little too narrowly around legitimate opposition to authority.

Michael: Again, I’m not trying to offer a general theory of how to properly resist unlawful authority. I was mentioning some factors that I think distinguish the Greensboro sit-in from the Anonymous attack, not suggesting that every act of civil disobedience must have all of those characteristics.

The Stonewall riots were a spontaneous reaction to an unjust use of state authority initiated by the victims of that abuse of power. And to the extent that the riots extended to the unnecessary destruction of innocent third parties’ property, I think that’s worth criticizing even if the initial focus of the riot was laudible.

I can see the argument that the DDOS attacks are a solidarity-building exercise, but it seems to me that there are lots of more productive and targeted ways to build solidarity, like setting up mirrors.

Suppose a protester in the early 1960s had spray-painted an anti-segregation slogan on the front of a whites-only restaurant? Would that be a legitimate form of civil disobedience?

To the extent that it’s in service of a moral cause against an unjust law, and targeted at a party that’s complicit in the injustice, it seems legitimate to me. (And as a practical matter, it’s probably less costly to repair and less disruptive than a sit-in that takes away a day’s business.) On the other hand, I can definitely see the argument that actions which are ineffective or counterproductive don’t have the same claim of moral legitimacy — but this is an extremely difficult line to draw, especially ex ante.

So what about the Mastercard graffiti? To the extent that the government is in the wrong, and to the extent that Mastercard is complicit (as opposed to a victim), then it has at least some claim to being legitimate civil disobedience. To the extent that it is predictably ineffective or counterproductive (very likely in the case of the graffiti) its claim to legitimacy is undermined.

———————————

In any case, it appears now that you aren’t making as strong a claim as I took you to be making in the original post. I have a feeling we’re actually largely on the same page.

I’m not sure where I fall on this one. I do think that Catharina is right that the PR effect here shouldn’t be totally dismissed. Anonymous has probably created some buzz and caused people to think about the issues involved. I agree with Tim that it isn’t particularly damaging for MasterCard PR, but it does seem to be raising awareness at least to a certain extent.

At the same time, it is essentially vandalism and does cause material harm to innocent people. I’m totally pro-Wikileaks, but this one is definitely a gray area. I will say though that I don’t think anybody from Anonymous deserves incarceration for this.

Suppose a protester in the early 1960s had spray-painted an anti-segregation slogan on the front of a whites-only restaurant?

I have trouble imagining a situation in which this was legitimate. This is partly for PR reasons–it’s going to turn off people on the fence–but also because it’s needlessly destructive. The idea of a sit-in is to force the business to in a sense inflict damage on themselves by refusing to serve you. Simply damaging your target’s property at random in a way that draws attention to your cause is almost never OK. The only exception I can think of is if the rule of law had deteriorated to the point where a prospector feared for his safety for engaging in more traditional protests like picketing.

it is worth noting here one point in favour of civil disobedience over legal protest. As Bertrand Russell observes, typically it is difficult to make the most salient facts in a dispute known through conventional channels of participation. The controllers of mainstream media tend to give defenders of unpopular views limited space to make their case. Given the sensational news value of illegal methods, however, engaging in civil disobedience often leads to wide dissemination of a position (Russell, 1998, 635). John Stuart Mill observes, with regard to dissent in general, that sometimes the only way to make a view heard is to allow, or even to invite, society to ridicule and sensationalise it as intemperate and irrational (Mill, 1999). Admittedly, the success of this strategy depends partly upon the character of the society in which it is employed; but it should not be ruled out as a strategy for communication

In response to your serious question, assuming that Mastercard has a legitimate property claim on their headquarters, then I do not have legitimate claim to paint it. However, they do not have an analogous claim on access to the network, and if they don’t like what the network does when they fail to behave themselves, their recourse is to simply not connect their servers to it. Were I to forcibly connect cables to their machines so that I could deny them the use of them with packet floods, then we could talk about how the two cases are isomorphic.

I’m not sure I understand your question. In that circumstance, I’d be upset and I can think of any number of ways I might respond—organizing a protest or boycott, filing a lawsuit, donating to the ACLU, etc—but petty vandalism wouldn’t be among them.

timothy, i think you’ll find the stanford page i linked to includes a reference to “spray-paint”:

There is more agreement amongst thinkers that civil disobedience can be either direct or indirect. In other words, civil disobedients can either breach the law they oppose or breach a law which, other things being equal, they do not oppose in order to demonstrate their protest against another law or policy. Trespassing on a military base to spray-paint nuclear missile silos in protest against current military policy would be an example of indirect civil disobedience.

You should probably take a look at that page rather than keep trying to dismiss actions that you don’t like as mere “petty vandalism.”

Me too and I think that is where the story should start. It is very hard for citizens /organizations to fight against stuff like that. You can indeed start a legal procedure, but that costs money (where you have no access to) and it costs a lot of time. I think the big financial institutions have too much power in that way and until that is in balance, I have no opinion on DDOS-actions.

I think you’re confused about the nature of civil disobedience. When Gandhi and King did it, it was well-understood as breaking the law in the interest of a cause. Gandhi and King told their supporters they needed to be prepared to go to jail for the greater good.
In the 60s, it was a badge of honor to be arrested for blocking access to a racist business in a civil rights protest or access to a government building in an anti-Vietnam War protest. The folks who occupied buildings and held bureaucrats hostage were ready to accept the consequences.

What these Operation Payback (or “Operation Mom’s Basement” as I like to call them) punks are doing isn’t civil disobedience as they’re attempting to break the law without suffering the consequences. It may be “civil protest” but it’s not civil disobedience.

“What makes a breach of law an act of civil disobedience? When is civil disobedience morally justified? How should the law respond to people who engage in civil disobedience? Discussions of civil disobedience have tended to focus on the first two of these questions. On the most widely accepted account of civil disobedience, famously defended by John Rawls (1971), civil disobedience is a public, non-violent and conscientious breach of law undertaken with the aim of bringing about a change in laws or government policies. On this account, the persons who practice civil disobedience are willing to accept the legal consequences of their actions, as this shows their fidelity to the rule of law. Civil disobedience, given its place at the boundary of fidelity to law, is said to fall between legal protest, on the one hand, and conscientious refusal, revolutionary action, militant protest and organised forcible resistance, on the other hand.”

@Richard Bennet: in the times of Gandhi and Marten Luther King it was not possible to be civil disobedient and anonymous. I wonder if they would have said the same in this time. Because why would you be prepared to serve jail time under control of a system that you don’t agree with?

@Catharina: Thank you for illustrating my assertion that the modern keyboard warrior is ignorant of the nature of civil disobedience.

Civil disobedience is about breaking unjust laws on the hope that ones prosecution will lead lawmakers to change the law; acts of anonymous vandalism are many things, but they are not civil disobedience.

It has always been possible to commit crimes and other actions anonymously, all you have to do is strike in the dead of night, wear a mask, and run fast. During Gandhi’s campaign against the British Raj, other groups committed violent, destructive acts against the Raj, and did so in such a way as to escape arrest. That’s not civil disobedience, it’s terrorism, attempting to spread fear.

When one of the Op. Mom’s Basement crowd posted a list of (apparently fake) credit card numbers to a web site and Tweeted a link anonymously, was that an act of civil disobedience or of terrorism?

The two most famous examples of civil disobedience in history are probably the teachings of Socrates and Jesus. Both were arrested and put to death, taking the ultimate punishment (despite having the chance to escape) because they believed in the principle of the Rule of Law even if they didn’t believe they had been sentenced justly.

Civil Disobedience is an act of courageous martyrdom. Don’t disrespect it by lumping anti-social cowards running Javascript on their mom’s computers for entertainment in the same category as Socrates.

The internet’s reservoir of trust? How can a software construct trust anything or anyone? End of my silly tat of word usage.

If you want to throw the word “trust” around and bend gently to barbarous ruling factions, such as the US government, then be my guest. The US government is now the most criminal when it comes to misuse of the Internet. Hundreds of “fusion centers” collect torrents of data for the sake of spying on it’s citizens abuse the internet’s power and “TRUST”. The same government that is looking to control it and sell its rights to the highest bidder. Our freedoms are being destroyed. The EU has already made sure that the people of Europe will remain slaves for the rest of their days, the next will be the US. We need people willing to fight…whether with words, with code or with heart. What we do NOT need are script kiddies playing code vigilanty with no clue of what they’re doing. If you are going to fight…then know your Fu.

Courage is not an attribute we are born with…it is learned. The state of the world reminds me of a quote I heard years ago…I would rather die on my feet, than live on my knees.